Is Cyber Insurance the best tool to preserve corporate value?

Is Cyber Insurance the best tool to preserve corporate value?

Is Cyber Insurance the best tool to preserve corporate value? That is indeed an appropriate question to ask as Cyber attacks seem to constitute major threats to businesses today.

Cyber liability policies exist to indemnify and cover losses which may generate under an attack. However they generally include numerous exclusions and conditions.

Contrary to natural hazards and many “classic” hazards the frequency of cyber attacks can be/is very high. Consider for example:

quakes with frequencies in the order of one in hundreds of years,

flooding with frequencies in the order of one in decades and finally

cyber attacks with several per day

Also, a well designed and executed cyber attacks may go undetected for months or years. When detected it may very difficult to evaluate its effects. Swisscom, the telecom company from Switzerland underwent such an attack as recently revealed in the media.

Is Cyber Insurance the best tool to preserve corporate value?

The multitude of attacks, from different directions and “enemies”, using techniques going from sophisticated IT to social engineering lead to complex multidimensional consequences, hence complex risk landscapes.

That’s not big news as over time we have shown that most “accidents” lead to combinations of:

Accordingly, cyber liability policies cover losses up to a clients’ defined amount. Considered losses may include:

privacy breach liability,

cyber extortion,

business interruption losses,

liability from multimedia and public relations costs,

legal expenses and finally

data theft liability.

However, as indicated earlier, coverage generally includes numerous significant conditions and exclusions.

Furthermore difficulties may arise if the insured cannot monetize the value of data loss.

How can organizations minimize their cyber risks?

It becomes obvious that cyber insurance alone cannot preserve corporate value due to its own necessary limitations, designed to protect the insurer.

It is also obvious that IT alone can’t do that either as risks arise from system’s elements that can be far removed from IT. For example: the best way to crash a computer remains pulling the plug or cutting the network cable… and in the Swisscom case cited above subcontractors vulnerabilities were exploited.

So, it all boils down to risk-based decision-making support for mitigation that most often will not be IT based, but “holistic” in nature. Audits and checks cannot solve this type of problems.

We have developed ORE over the last few decades. ORE allows to include uncertainties, inter-dependencies, societal and corporate risk tolerance and is ISO31000 compatible. ORE makes it possible to communicate risks to management and the public thanks to very clear and explicit graphic dashboards (Fig. 2, prior page).

For the sake of graphic simplification we have omitted the uncertainties. Some risks display as a dot (at their centroid), but should really appear as “bubbles” due to their respective uncertainties in p,C.

In the graph (Fig. 3) you see three groups of risks:

the “blue” ones are tolerable (they are below the orange line which is the risk tolerance of that specific corporate client).

The “yellow” are intolerable (above the orange line), but manageable as they could receive mitigation (for a cost) which pushes them down, below the threshold.

The “red” family are intolerable and unmanageable. They cannot be pushed below tolerance in the realm of credibility (above p= one in a million).